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(57) A scheme for depositing a private key used in 
the RSA cryptosystem which is capable of maintaining 
the private key more safely, without requiring a user to 
always caay around a storage medium. In this scheme, 
a private key of a user is divided into a first partial pri- 
vate key and a second partial private key at a user's 
entity, where the first partial private key is set to be 
maintained at the user's entity, while the second partial 
private key is deposited from the user's entity to the 
other entity. Then, the second partial private key is deliv- 
ered from the other entity to the user's entity in 
response to a request from the user's entity, and the first 
partial private key maintained at the user's entity and 
the second partial private key delivered from the other 
entity are composed so as to obtain the private key to be 
used in a processing according to the RSA ayptosys- 
tem at the user's entity. This scheme can be generalized 
to a case of dividing the private key into a plurality of 
partial private keys. 
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BACKGROUND OF THE INVENTION 

5 FIELD OF THE INVENTION 

The present invention relates to a method and a system for depositing a private key used in an RSA (Rivest Shamir 
Adieman) cryptosystem, where a private key of a client user is deposited to a reliable organization such as a key man- 
agement server, and a key to be deposited is changed, for the purpose of providing a security service such as a user 
10 authentication or a secret communication using the RSA cryptosystem between a client and a server in a computer net- 
work environment of a client-server system. 

DESCRIPTION OF THE BACKGROUND ART 

15 In recent years, in conjunction with a down-sizing of computers and a spread of Internet, many activities have been 
undertaken in relation to a security in an open computer network environment. For example, the PEM (Privacy 
Enhanced Mail) has been standardized by the IETF as the first encrypted mail standard which incorporates crypto- 
graphic descriptions in Internet, and a specification in a form of RFC (Request For Comments) is currently issued. 
In order to realize a safe communication in such a network, it is indispensable to establish a privacy of communi- 

20 cation data and an authenticity of a user based a user authentication. The privacy and the authenticity can be realized 
by utilizing the cryptographic technique. 

For instance, the public key cryptosystem is a cryptographic scheme in which a key for encryption (an encryption 
key) and a key for decryption (a decryption key) are set to be different from each other so as to make it difficult to guess 
the decryption key from the encryption key Each user utilizing the public key cryptosystem has individually assigned 

25 encryption key and decryption key, and when a sender sends a message to a receiver, the sender encrypts the mes- 
sage by using the publicly disclosed encryption key of the receiver, and the receiver deaypts the received message by 
using his own decryption key. so as to realize a communication with a sufficient privacy Also, by reversing an order of 
the encryption and the decryption, only a person who owns the decryption key (private key) can attach a digital signa- 
ture to a message, and anyone who knows that person's encryption key (public key) can verify the digital signature of 

30 that person. 

One of the most widely known examples of the public key cryptosystem is the RSA cryptosystem (see, R.L. Rivest, 
A. Shamir and L Adieman: "A Method for Obtaining Digital Signatures and Public-key Cryptosystems", Communica- 
tions of the ACM, Vol. 21(2). pp. 120-126, February 1978). 

However, in a conventional method for realizing a safe communication by utilizing the cryptographic technique as 
35 described above, the private key which is unique to each user must be managed safely, and to this end. there are some 
known schemes including the following. 

One scheme is to maintain the private key in a storage medium having a ayptographic processing function such 
as a smart card, so as to make It hard to take out the key from an external of the card, and to adopt a highly safe meas- 
ure of outputting only ayptographically processed data obtained from entered input data by using the private key main- 
40 tained inside the card. 

Another scheme is to maintain the private key in an encrypted form obtained by using a key decryption key gener- 
ated according to a password phrase of a user, where a legitimate user who knows the password can acquire the pri- 
vate key whenever necessary by entering the password, in response to which the same key decryption key is generated 
again and the encrypted private key is deaypted by using the generated key decryption key This latter scheme is spec- 
45 ified in the PKCS ("Private-Key information Syntax Standard", Version 1.2, RSA Data Security Inc., November 1993) 
which is proposed by the RSA Laboratories as a standard implementation in a case of utilizing the pii)lic key crypto- 
graphic technique. 

However, in the former scheme, there is a problem that it is necessary for a user to always cany around the private 
key as maintained in the storage medium such as a smart card. Also, in the latter scheme, there is a problem that it is 

50 possible to pretend the legitimate user by carrying out the cryptanalysis on the encrypted private key. 

On the other hand, it is also possible to improve the safety by setting a period for updating the key shorter, but in 
the public key cryptosystem such as the RSA cryptosystem it is possible to commit an illegal conduct by generating an 
unauthorized key pair and pretending the other person. For this reason, in order to guarantee the relation between a 
user and his public key a public key certificate which is signed by the private key of either a reliable third party organi- 

55 zation or another trustworthy user will be issued nornrmlly In a case of carrying out the mutual authentication between 
users, the public key certificate of the correspondent user is verified by using the public key of that third party organiza- 
tion or another trustworthy user, and his public key Is used only after the correctness of the correspondent user's name 
and public key is confirmed. 
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However, at a time of the key updating, the public key is also changed when the private key is changed, so that 
there is a need to modify the public key certificate that has already been issued and publicly disclosed to many users, 
every time the key updating takes place, and therefore there is a problem that the key management becomes quite tedi- 
ous. 

SUMMARY OF THE INVENTION 

It is therefore an object of the present invention to provide to provide a method and a system for depositing a private 
key used in the RSA cryptosystem which is capable of maintaining the private key more safely, without requiring a user 
to always carry around a storage medium. 

It is another object of the present Invention to provide a method and a system for depositing a private key used in 
the RSA cryptosystem in which the user*s private ksy is to be used in division into two or more parts, and partial private 
keys obtained from the user's private key can be changed without changing the user's public key 

According to one aspect of the present invention there is provided a method for depositing a private key used in an 
RSA cryptosystem, comprising the steps of: dividing a private key of a user into a first partial private key and a second 
partial private key at a user's entity, where the first partial private key is set to be maintained at the user's entity; depos- 
iting the second partial private key from the user's entity to another entity; delivering the second partial private key from 
said another entity to the user's entity in response to a request from the user's entity; and composing the first partial 
private key maintained at the user's entity and the second partial private key delivered from said another entity so as to 
obtain the private key to be used in a processing according to the RSA cryptosystem at the user's entity. 

According to another aspect of the present invention there is provided a method for depositing a private key used 
in an RSA cryptosystem, conrprising the steps of: dividing a private key of a user into a plurality of partial private keys 
at a user's entity, where one of said plurality of partial private keys is set to be maintained at the user's entity; depositing 
remaining ones of said plurality of partial private keys from the user's entity to mutually different ones of other entities 
respectively; delivering the remaining ones of said plurality of partial private keys from the other entities to the user's 
entity in response to a request from the user's entity; and composing said one of said plurality of partial private keys 
maintained at the user's entity and the remaining ones of said plurality of partial private keys delivered from the other 
entities so as to obtain the private key to be used in a processing according to the RSA cryptosystem at the user's entity. 

According to another aspect of the present invention there is provided a system for depositing a private key used 
in an RSA cryptosystem, comprising a user's entity and another entity, wherein the user's entity includes: a private key 
dividing unit for dividing a private key of a user into a first partial private key and a second partial private key, where the 
first partial private key is set to be maintained at the user's entity; a key depositing unit for depositing the second partial 
private key to said another entity; a partial private key acquisition unit for requesting a delivery of the second partial pri- 
vate key to said another entity and receiving the second partial private key delivered from said another entity; and a pri- 
vate key conposition unit for composing the first partial private key maintained at the user's entity and the second 
partial private key delivered from said another entity so as to obtain the private key to be used in a processing according 
to the RSA cryptosystem. 

According to another aspect of the present invention there is provided a system for depositing a private key used 
in an RSA cryptosystem, comprising a user's entity and other entities, wherein the user's entity includes: a private key 
dividing unit for dividing a private key of a user into a plurality of partial private keys, where one of said plurality of partial 
private keys is set to be maintained at the user's entity; a key depositing unit for d^siting remaining ones of said plu- 
rality of partial private keys to mutually different ones of the other entities respectively; a partial private key acquisition 
unit for requesting a delivery of the remaining ones of said plurality of partial private keys to the other entities and receiv- 
ing the remaining ones of said plurality of partial private keys delivered from the other entities; and a private key com- 
position unit for composing said one of said plurality of partial private keys maintained at the user's entity and the 
remaining ones of said plurality of partial private keys delivered from the other entities so as to obtain the private key to 
be used in a processing according to the RSA cryptosystem. 

Other features and advantages of the present invention will become apparent from the following description taken 
in conjunction with the accompanying drawings. 

BRIEF DESCRIPTION OF THE DRAWINGS 

Fig. 1 is a schematic block diagram of a system configuration to which the present invention is applied. 
Fig. 2 is a sequence chart for the operation in a private key depositing system according to the first entisodiment of 
the present invention. 

Fig. 3 is a block diagram of an exemplary private key depositing system according to the first embodiment of tiie 
present invention. 

Fig. 4 is a block diagram of another exemplary private key depositing system according to ttie first embodiment of 
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the present invention. 

Fig. 5 is a sequence chart for the operation in the private key depositing system of Fig. 4. 
Rg. 6 is a block diagram of an exemplary private key depositing system according to the second embodiment of 
the present invention. 

5 Rg. 7 is a sequence chart for the operation in the private key depositing system of Rg. 6. 

Rg. 8 is a block diagram of another exemplary private key depositing system according to the second emtxxliment 
of the present invention. 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS 

10 

Referring now to Rg. 1 to Rg. 5, the first embodiment of a method and a system for depositing a private key used 

in the RSA cryptosystem according to the present invention will be descn'bed in detail. 

Rg. 1 shows a schematic configuration of a system to which the present invention is applied, arxi Fig. 2 shows an 

outline of a method for depositing a private key in this first embodiment of the present invention. 
IS The system shown in Fig. 1 comprises an entity A 200. an entity B 300. and the other entity 400, where among the 

private key and the public key of a user which are to be used in the RSA cryptosystem. the private key is divided into 

two by the entity A 200 (S1), and one of the partial private keys (a first partial private key) is maintained at the entity A 

200 (S2), while the other one of the partial private keys (a second partial private key) is deposited to the entity B 300 

(S3) and maintained by the entity B 300 (S4). 
20 Here, according to the Multiple Key cryptosystem (see. C.A. Boyd: "Some Applications of Multiple Key Ciphers", 

Proceedings of Eurocrypt 88, pp. 455-467. Springer-Verlag. 1988), the private key to be divided into two satisfies the 

following congmence (1): 

kpxksl xks2» 1 (modL) (1) 

25 

where kp is the public key, ks1 is the first partial private key, ks2 is the second partial private key. L is the least common 
multiple of (p-1) and (q-1), and p and q are arbitrary mutually different large prime numbers. Also, in the following n is a 
product of p and q. 

In other words, the entity A 200 encrypts its own second partial private key in advance in a form that can be 
30 decrypted by a key decryption key that is known only to the entity A 200, and deposits this encrypted second partial 
private key to the entity B 300. Here, the key decryption key and a key (encryption key) for encrypting in a form that can 
be decrypted by the key decryption key can be a symmetric key according to the symmetric key cryptosystem in which 
the encryption key and tiie decryption key are set to be the same such as the DES (Data Encryption Standard) scheme 
or tiie FEAL (Fast data Encipherment ALgorithm) scheme (see B. Schneier, "Applied Cryptography". John Wiley & 
35 Sons inc.. 1 996, for example). It is also possible to use the second partial private key as the encryption key while using 
the first partial private key and the public key as the key decryption key, according to the RSA cryptosystem. 

In addition, these tvra approaches may be combined so as to increase an amount of calculations required in cryp- 
tanalyzing the encrypted second partial private key, and tiiereby making tiie one by one attack on a key for encryption 
practically very difficult. 

40 Next, when a request for acquiring the second partial private key is issued from the entity A 200 to the entity B 300 
(S5), the entity B 300 delivers tiie second partial private key maintained therein to the entity A 200 (S6). 

Here, When it becomes necessary for the entity A 200 to have tiie second partial private key delivered from tiie 
entity B 300, the entity A 200 issues a second partial private key acquisition request. Then, upon receiving tiiis second 
partial private key acquisition request, tiie entity B 300 retrieves tiie second partial private key which is safely protected 

45 by being encrypted by the encryption key, and delivers this second partial private key to the entity A 200. 

Next, at tiie entity A 200, the authentication processing with respect to the otiier entity 400 is carried out (ST) by 
using tiie private key which is composed from the first partial private key maintained at the entity A 200 itself and tiie 
second partial private key delivered from the entity B 300. At this point, when the encrypted second partial private key 
is acquired, tiie entity A 200 takes out the key decryption key for decrypting this encrypted second partial private key 

so and decrypts this second partial private key by using tiiat key deayption key, so as to take out the second partial private 
key In ttiis manner, only tiie entity A 200 tiiat knows the proper key decryption key can acquire tiie secorKi partial pri- 
vate key, and carry out the authentication with respect to the other entity 400 by can-ying out the RSA cryptosystem 
processing using the obtained second partial private key and the first partial private key togetiier as the private key of 
the user. 

55 Rg. 3 shows a configuration of a private key depositing system in the first embodiment of the present invention. 
The private key depositing system shown in Rg. 3 comprises the entity A 200 and the entity B 300. 
The entity A 200 comprises a key division unit 205. a key depositing unit 206, a key memory unit 203. a deposit key 
acquisition request unit 204, a deposit key receiving unit 208. a deposit key extraction unit 209. and a private key com- 
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position unit 210. 

The entity B 300 comprises a deposit key acquisition request receiving unit 305. a deposit key memory unit 306, 
and a deposit key delivery unit 307. 

The key division unit 205 divides the private key to be used In the RSA ayptosystem into two. and transfers one of 
5 them (the first partial private key) to the key memory unit 203 while the transferring the other one (the second partial 
private key) as the deposit key to the key depositing unit 206. 

The key depositing unit 206 then deposits the deposit key obtained at the key division unit 205 to the entity B 300. 

The key memory unit 203 stores the first partial private key obtained from the private key and the key decryption 

key 

10 The deposit key acquisition request unit 204 issues an acquisition request for tiie deposit key that has been depos- 
ited to the entity B 300. 

The deposit key receiving unit 208 acquires the deposit key from the entity B 300. 

The deposit key extraction unit 209 acquires the key decryption key for decrypting tiie deposit key from tiie key 
memory unit 203. and decrypts the deposit key. 
IS The private key composition unit 210 carries out tiie autiientication with respect to the other entity 400 using the 
private key obtained by composing the decrypted deposit key and the first partial private key. 

The deposit key memory unit 306 of the entity B 300 stores the deposit key deposited from the entity A 200 Ihe 
deposit key acquisition request receiving unit 305 receives the deposit key acquisition request from the entity A 200, 
relieves tiie deposit key from tiie deposit key memory unit 306 according to this request, and transfers the retrieved 
20 deposit key to tiie deposit key delivery unit 307. 

The deposit key delivery unit 307 delivers tiie deposit key transferred by tiie deposit key acquisition request receiv- 
ing unit 305 to the entity A 200. 

Next, a more specific example of a private key depositing system in the first embodiment of the present invention 
will be described. 

25 First the variables and functions used in tiie following description will be defined. 

Namely, in the following, kp is tiie RSA public key of the user while ksl and ks2 are partial keys of the RSA private 
key of the user, and tiiese keys kp. ksl and ks2 are determined such tiiat the congruence (1) described above is satis- 
fied according to tiie Multiple Key cryptosystem. In addition, ksl is determined to be in a small number of figures that 
can be memorized by the user as a password, while ks2 is used as the deposit key to be deposited to a private key 

30 deposit organization. M denotes an arbitrary plaintext blocK C denotes a result of encryption of M, and (a mod b) 
denotes a residue of a divided by b. Also, X' is data obtained by encrypting ttie deposit key ks2 by using tiie deposit key 
ks2 itself as the encryption key according to the RSA cryptosystem. while X is data obtained by encrypting X' by using 
a symmetric key Skey which is generated according to the password according to the symmetric key cryptosystem. 
Also, a function E denotes tiie symmetric key encryption algorithm, while a function D denotes an inverse function of 

35 the function E. 

Fig. 4 shows a specific exanrple of the private key depositing system in the first embodiment of the present inven- 
tion. 

In Fig. 4, the node A (entity A) 200 and tiie private key deposit organization (entity B) 300 are connected through a 
network 500, and a user operates tiie node A 200 in order to have his own deposit key delivered safely from the private 
40 key deposit organization. The node A 200 has a password input receiving unit 201 for receiving tiie password from tiie 
user 600 and a symmetric key generation unit 202 for generating the symmetric key Skey from tiie received password. 
Also, the structural elements which are identical to those appearing in Fig. 3 are given the same reference numerals in 
Fig. 4 and their description will be omitted here. 

Now, the operation in tiie configuration shown In Fig. 4 will be described witii reference to Fig. 5. 
45 In the configuration of Rg. 4. when tiie node A 200 receives the password ksl from tiie user 600 at the password 
input receiving unit 201 (S1 01 ), tiie received password ksl is given to the symmetric key generation unit 202 while also 
being stored in the key memory unit 203 (SI 02). 

The symmeti'ic key generation unit 202 generates tiie symmetric key Skey to be used in tiie symmetric key enayp- 
tion algorithm (SI 03). and ti-ansfers the generated symmetric key Skey to the key memory unit 203 similarly. Here, tiie 
50 generation of the symmetric key Skey at the symmeti'ic key generation unit 202 can be done by using an algorithm such 
as tiie one-way random hush function in which an information before the key generation cannot be easily ascertained 
from a state after the key generation. 

A representative example of the typical one-way random function is MD5 proposed by Ron Rivest (see B, Schneier. 
"Applied Cryptography^ John Wiley & Sons Inc.. 1996, for exanple). In MD5. it is possible to generate a hush value of 
55 128 bits with respect to a message in arbitrary length. 

Next, in order to acquire tiie deposit key registered in advance at the private key deposit organization 300, the node 
A 200 generates a request message for acquiring tiie deposit key at the deposit key acquisition request unit 204 (SI 04), 
and transmits tiiis request message through the network 500 (SI 05). This request message contains the user's name. 
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At the private key deposit organization 300, when the request message from the node A 200 is received by the 
deposit key acquisition request receiving unit 305, the public key and the deposit key corresponding to the user*s name 
contained the received request message are retrieved from the dqsosit key memory unit (key management database) 
306 that is managed by the private key deposit organization 300 (SI 06). 
5 Here, the public key kp and the protected deposit key X managed by the key management database 306 are reg- 
istered therein in advance. Also, the protected deposit key X is protected by being encrypted according to the following 
formula (2) and (3). 

X' = ks2'®^modn (2) 

10 

X = E(Skey. X) (3) 



The public key kp and the protected deposit key X of the user that are retrieved from the key management database 
306 by the deposit key acquisition request receiving unit 305 are then given to the deposit key delivery unit 307. 
15 At the deposit key delivery unit 307, a response message for delivering the protected deposit key X to the node A 
200 is generated, and transmitted to the node A 200 (S1 07). This response message contains the public key kp and the 
protected deposit key X of the user. 

At the node A 200, when the response message is received by the deposit key receiving unit 208, the public key kp 
and the protected deposit key X contained in the received response message are given to the deposit key extraction 
20 unit 209 in order to take out the deposit key (S1 08). In addition, at the same time, the partial key ks1 and the symmetric 
key Skey stored In the key memory unit 203 are given to the deposit key extraction unit 209. 

The deposit key extraction unit 209 calculates the deposit key by the calculation according to the following formula 
(4) and (5). 

25 X* = D(Skey. X) (4) 

ks2 = (X0'^^***^modn (5) 

30 

Here, it should be apparent that, in order to calculate the deposit key ks2 correctly, it is necessary to have the partial 
key ks1 that is given as the correct password from the user and the symmetric key Skey. The deposit key ks2 calculated 
in this manner is given to the private key composition unit 210 along with the partial key ks1 so as to be utilized as the 
RSA private key. The private key composition unit 210 composes the two partial keys, that is the partial key ksl given 
35 from the key memory unit 203 and the deposit key ks2 given from the deposit key extraction unit 209. and utilizes the 
composed key as the private key of the RSA cryptosystem (S1 1 0). Here, the public key kp is utilized in a case of enayp- 
tion according to the following formula (6) while the private key ks = ksl x ks2 is utilized in a case of decryption accord- 
ing to the following formula (7). 



40 



C = M*^nTOdn 



M = C'^'^'^modn 



(6) 
(7) 



In this manner, the deposit key maintained at the private key deposit organization 300 can be delivered to the node 
45 A 200 in response to the request from the user 600. and the user 600 can carry out the authentication with respect to 
the other entity by using the password which is the first partial private key known to himself and the second partial pri- 
vate key which is the deposit key delivered from the private key deposit organization 300. 

In addition, in maintaining and delivering the deposit key, it is possible to manage arxl deliver the deposit key safely 
by encrypting the deposit key in a form that can be decrypted by the key decryption key known only to the user 600, 
50 such as the password. 

Moreover, the deposit key can be safely delivered by using the symmetric key, the first partial private key, or a com- 
bination of both as the key deayption key for deaypting the protected deposit key. 

Referring now to Fig. 6 to Rg. 8, the second embodiment of a method and a system for depositing a private key 
used in the RSA cryptosystem according to the present invention, which is related to the key change, will be described 
55 in detail. Here, the system to which the present Invention is applied is the same as that shown in Fig. 1 desaibed above. 

Rg. 6 shows a configuration of a private key depositing system in this second embodiment of the present invention, 
and Rg. 7 shows an outline of a method for depositing a private key in this second embodiment of the present invention. 

The entity A 200 shown in Fig. 6 comprises: a key division unit 21 1 for dividing the private key into the first partial 
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private key and the secx>nd partial private key; a key memory unit 21 3 for storing the first partial private key and the key 
decryption key: a deposit key Information acquisition request unit 214 for making a request for a delivery of a deposit 
key information formed by the second partial private key deposited to the entity B 300 and the prime numbers p and q; 
a deposit key information receiving unit 218 for receiving the deposit key information from the entity B 300; a deposit 

5 key Information extraction unit 219 for extracting the second partial private key and the prime numbers p and q by 
decrypting the encrypted deposit key information given from the deposit key information receiving unit 21 8 by using the 
key decryption key stored in the key memory unit 21 3; and a partial private key generation unit 220 for generating a new 
first partial private key and a new second partial private key from the prime numbers p and q. 

The entity B 300 shown in Rg. 6 comprises: a deposit key information acquisition request receiving unit 315 for 

TO receiving the deposit key information delivery request from the entity A 200; a deposit key information memory unit 316 
for storing the deposit key information which is encrypted by using the encryption key in advance, and returning the pro- 
tected deposit key information corresponding to the entity A 200 in response to the retrieval request from the deposit 
key information acquisition request receiving unit 315; and a deposit key information delivery unit 31 7 for delivering the 
protected deposit key information received from the deposit key information acquisition request receiving unit 31 5 to tiie 

15 entity A 200. 

First, among the private key and the public key of a user which are to be used In the RSA cryptosystem. the private 
key is divided into two by tiie entity A 200 (S1 1), and one of the partial private keys (a first partial private key) is main- 
tained at the entity A 200 (S12), while the other one of the partial private keys (a second partial private key) is deposited 
to tiie entity B 300 (S13) and maintained by the entity B 300. 
20 Here, according to tiie Multiple Key cryptosystem (see. C.A. Boyd: "Some Applications of Multiple Key Ciphers^ 
Proceedings of Eurocrypt 88. pp. 455-467, Springer- Verlag, 1988). the private key to be divided into two satisfies tiie 
following congruence (1): 

kp X ksl X ks2 = 1 (mod L) (1) 

25 

where kp is tiie public key. ks1 is the first partial private key, ks2 is tiie second partial private key, L is the least common 
multiple of (p-1) and (q-1). and p and q are arbitrary mutually different large prime numbers. Also, in tiie following n is a 
product of p and q. 

The entity A 200 encrypts tiie deposit key information formed by the second partial private key obtained from tiie 
30 private key at the key division unit 211 and tiie prime numbers p and q in a form that can be decrypted by a key deayp- 
tion key that is known only to the entity A 200. and deposits this encrypted deposit key information to the entity B 300. 
Here, the key decryption key and a key (encryption key) for encrypting in a form tiiat can be decrypted by tiie key 
decryption key can be a symmetric key according to the symmetric key cryptosystem in which the encryption key and 
the decryption key are set to be the same such as the DES (Data Encryption Standard) scheme or tiie FEAL (Fast data 
35 Encipherment Algorithm) scheme (see B. Schneier. "Applied Cryptography". John Wiley & Sons Inc.. 1996. for exam- 
ple). It is also possible to use tiie second partial private key as tiie encryption key while using the first partial private key 
and the public key as tiie key decryption key. according to the RSA cryptosystem. 

In addition, tiiese two approaches may be confined so as to increase an amount of calculations required in cryp- 
tanalyzing tiie encrypted second partial private key, and thereby making tiie one by one attack on a key for encryption 
40 practically very difficult. 

Next, the deposit key information acquisition request unit 214 of the entity A 200 issues an acquisition request for 
the deposit key information to tiie entity B 300 (SI 4). 

In response, when this request is received, tiie deposit key information acquisition request receiving unit 315 of tiie 
entity B 300 retrieves the deposit key information which is safely protected by t>eing encrypted by the encryption key 
45 from the deposit key information memory unit 316. Then, the entity B 300 delivers the protected deposit key information 
to ttie entity A 200 from the deposit key information delivery unit 317 (SI 5). 

Next, at the entity A 200, tihe deposit key information delivered from the deposit key information delivery unit 317 is 
received at the deposit key information receiving unit 218. and transferred to tiie deposit key information extraction unit 
219 in order to decrypt tiie deposit key information. 
50 The deposit key information extraction unit 219 takes out tiie deposit key information by deaypting the protected 
deposit key information using the key decryption key stored in the key memory unit 21 3 (SI 6). In this manner, only tiie 
entity A 200 tiiat knows the proper key decryption key can acquire the deposit key information, and compose the first 
partial private key and the second partial private key togetiier as the private key ks (SI 7). 

In addition, at the partial private key generation unit 220, using the prime numbers p and q in tiie deposit key infor- 
55 mation, tiie partial private keys are changed without changing the public key (SI 8), by generating a new first partial pri- 
vate key ksV and a new second partial private key ks2* which satisfy tiie following congruence (8). 

ks1'xks2'°ks(modL) (8) 
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Next, a more specific example of a private key depositing system in tlie second embodiment of the present inven- 
tion will be described. 

Rrst. the variables and functions used in the following description will be defined. 

Namely, in the following, kp is the RSA public key of the user while ks1 and ks2 are partial keys of the RSA private 
5 key of the user, and these keys kp. ks1 and ks2 are determined such that the congruence (1) described above is satis- 
fied according to the Multiple Key cryptosystem. In addition. ks1 is determined to be in a smalt number of figures that 
can be memorized by the user as a password, while ks2 and the prime numbers p and q are used as the deposit key 
information to be deposited to a private key deposit organization. M denotes an arbitrary plaintext block, C denotes a 
result of encryption of M, and (a mod b) denotes a residue of a divided by b. Also. X" is data obtained by encrypting the 
10 deposit key information by using the deposit key ks2 itself as the encryption key according to the RSA ayptosystem. 
Rg. 8 shows a specific example of the private key depositing system in tiie second embodiment of the present 
invention. 

In Fig. 8, the node A corresponds to the entity A 200 described above and the private key deposit organization cor- 
responds to the entity B 300 desaibed above. Also, the structural elements which are identical to those appearing in 
15 Rg. 6 are given the same reference numerals in Rg. 8 and their description will be omitted here. 

In the configuration of Rg. 8. tiie node A 200 comprises a password input receiving unit 212 for receiving the pass- 
word from the user 600, the key memory unit 213, the deposit key information acquisition request unit 214. tiie deposit 
key information receiving unit 21 8, the deposit key information extraction unit 21 9. and the partial private key generation 
unit 220. 

20 The private key deposit organization 300 comprises the deposit key information acquisition request receiving unit 
315, the deposit key information memory unit (key management database) 316 which stores the deposit key informa- 
tion deposited from the user's node along with the public key in correspondence to each user's name, and the deposit 
key information delivery unit 317. 

Here, tiie node A 200 and the private key deposit organization 300 are connected tiirough a network 500. 
25 Now, the operation in the configuration shown in Rg. 8 will be described. 

When the node A 200 receives tiie password ksl from tiie user 600 at the password input receiving unit 212, tiie 
received password ks1 is stored in the key memory unit 213. 

Next, in order to acquire tiie deposit key information registered in advance at tiie private key deposit organization 
300, the node A 200 generates a request message for acquiring tiie deposit key information at the deposit key infbrma- 
30 tion acquisition request unit 214, and transmits this request message tiirough tiie network 500. This request message 
contains the user's name. 

At tiie private key deposit organization 300. when the request message from tiie node A 200 is received by tiie 
deposit key information acquisition request receiving unit 315, tiie public key and the deposit key information corre- 
sponding to tiie user's name contained the received request message are retrieved from tiie key management data- 
35 base 316 tiiat is managed by the private key deposit organization 300. 

Here, the public key kp and the protected deposit key information X" managed by the key management database 
316 are registered tiierein in advance. Also, the protected deposit key information X" is protected by being encrypted 
according to tiie following fbrnuila (9). 

40 X" = (ks2.p,q)*^modn (9) 

The public key kp and the protected deposit key information X" of the user ttiat are retrieved from the key manage- 
ment database 316 by tiie deposit key information acquisition request receiving unit 315 are tiien given to the deposit 
key information delivery unit 317. 
45 At the deposit key information delivery unit 3 1 7, a response message for delivering ttie protected deposit key infor- 
mation X" to the node A 200 is generated, and transmitted to the node A 200. This response message contains the pub- 
lic key kp and the protected deposit key information "X of the user. 

At the node A 200. when tiie response message is received by the deposit key information receiving unit 218. tiie 
public key kp and tiie protected deposit key information X" contained In the received response message are given to 
so the deposit key information extraction unit 219 in order to take out the deposit key information. In addition, at the same 
time, the partial key ksl stored In the key memory unit 213 is given to the deposit key information extraction unit 219. 

The deposit key information extraction unit 219 calculates tiie deposit key information by tiie calculation according 
to the following formula (10). 

(ks2, p, q) = (X") ' mod n (10) 
= (ks2.p.q)^^*^^^*^modn 
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Here, it should be apparent that, in order to calculate the deposit key information correctly, it is necessary to have 
the partial key ks1 that is given as the correct password from the user. The deposit key ks2 in the deposit key informa- 
tion calculated in this manner can be composed with the partial key ksl according to: 

ks=:ks1xks2 (11) 

and utilized as the RSA private key ks. 

In addition, at the partial private key generation unit 220, using the partial key ksl given from tiie key memory unit 
213 and the deposit key ks2 and the prime numbers p and q given from the deposit key information extraction unit 219. 
a new first partial private key ksV and a new second partial private key ks2' can be generated according to the congru- 
ence (8) described above. 

After the generation of these new partial keys, the new partial key ksl* to be used as tiie pasword is notified to tiie 
user, and the new deposit key information to be deposited to tiie private key deposit organization 300 is calculated by 
the following formula (12) which is similar to tiie above described formula (9). 

X" = (ks2',p,q)*®^'modn (12) 

It should be apparent that, by means of the above described procedure, the two partial private keys of the user can 
be changed at any time, without changing the public key kp. 

It is to be noted tiiat, in the embodiments described above, a case of dividing the private key into two has been 
described, but the method for depositing the private key according to the present invention Is equally applicable to a 
more general case of dividing tiie private key into more than two plural parts. Namely, according to the Multiple Key 
cryptosystem, the private key that satisfies the following congruence (13): 

kp X ksl X ks2 X X ksm = 1 (mod L) (13) 

can be used, and kp is set as the public key, ksl is set as ttie first partial private key, ks2 is set as tiie second partial 
private key. and ksm is set as tiie m-th partial private key. 

In tills case, the first partial private key is maintained by tiie user, while the remaining (m-1) pieces of partial private 
keys are respectively deposited to (m-1) sets of tiie other entities. 

At tiie user's entity, tiie RSA private key ks can be calculated from tiie partial private keys delivered from these 
otiier entities in response to the request and tiie first partial private key maintained by tiie user himself according to the 
fdlowing formula (14). 

ks = ks1xks2x X ksm (14) 

Also, similarly as in the second embodiment described above, tiie prime numbers p and q used at a time of gener- 
ating tiie private key can be deposited to one of tiie otiier entities along witii tiie remaining partial private keys, and new 
partial private keys ksl', ks2', ksm' that satisfy: 

ksl' X ks2' X X ksm' = ks (rrnxJ L) (15) 

can be generated by using the prime numbers p and q which are delivered from that one of the other entities along with 
the remaining partial private keys and tiie private key ks composed at tiie user's entity, so as to change the partial pri- 
vate keys witiiout changing tiie public key. 

In this case, it basically suffices to deposit the prime numbers p and q to one other entity, but it is also possible to 
deposit tiie prime number p and the prime number q to different entities, if desired. 

It is also possible to use a number of new partial private keys that is different from a number of the original partial 
private keys, if desired. 

It is also possible to change or interchange the entities to which new partial private keys are to be deposited, so as 
to deposit new partial private keys differently from tiie conesponding original partial private keys, if desired. 

It is also to be noted tiiat, in the embodiments described above, an example in which tiie public key is acquired from 
the other entity has been described, but the present invention is not limited to tiiis example and tiie public key may be 
stored in the key memory unit 213 instead, if desired. 

As described, according to tiie present invention, the private key of the user which is used in the RSA cryptosystem 
is divided into two, one of them is deposited to tiie private key deposit organization, and tiiat one of the divided partial 
private keys is acquired from the private key deposit organization according to the need and composed witii the other 
one of tiie divided partial private key, so that only the legitimate user can acquire the deposited partial private key and 
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carry out the authentication using the obtained private key. 

Also, the partial private key to be deposited to the private key deposit organization can be deposited in an 
encrypted form obtained by using a symmetric key, so that when the request for acquiring that partial private key is 
issued from the user's entity, the deposit key can be deaypted at the user's entity, and therefore only the entity which 

5 owns the correct symmetric key can acquire the deposit key. 

Moreover, the deposit key to be deposited to the private key deposit organization can be generated by encrypting 
the partial private key to be deposited using that partial private key itself as the encryption key. so that the deposit key 
given from the private key deposit organization cannot be decrypted unless the correct first partial private key is avail- 
able at an entity which received the deposit key. 

70 In addition, the encrypted deposit key can be further encrypted by i^ing the symmetric key which is known only to 
the user's entity, and then deposited to the private key deposit organization, so as to realize an even higher security 
level. 

Also, according to the present invention, among the put)lic key and the private key utilized in the RSA ayptosystem. 
the private key is divided into two and the first partial private key is maintained at the user's entity, while the second par- 
rs tial private key is deposited to the other entity, so that it suffices to maintain the first partial private key alone at the user's 
entity, and whenever necessary, the second partial private key can be acquired from the other entity and these two par- 
tial private keys are combined, and therefore it Is safe because there is no need to maintain both of these partial private 
keys at a single location. 

Moreover, the prime numbers p and q can be attached to the second partial private key to be deposited to the other 
20 entity, and in a case of changing the first partial private key and the second partial private key, a new first partial private 
key and a new second partial private key can be generated at the user's entity by using these prime numbers p and q, 
without changing the public key. so that it becomes possible to change and manage the keys easily and there is no need 
to change the public key at the other entities. 

Also, according to the present invention, the RSA private key is divided into plural parts and one partial private key 
25 is maintained by the user, while the remaining partial private keys are deposited to the other entities, so that it is safe 
because the private key is maintained as divided plural parts. Also, it is possible make the partial private key to be nr^in- 
tained by the user can be set in a form of a password which has a sufficiently short length that can be memorized by 
the human being. Because of these features, the present Invention is capable of realizing the following advantages. 

30 (1) Location Free: 

For the user, the processing using the RSA cryptosystem becomes available not only at a specific local computer 
but also at any computer which is connected to the network. 

35 (2) Device Free: 

There is no need for the user to carry around any device for storing the private information. In other words, the pri- 
vate information for the purpose of identifying the user can be provided on a basis of an amount of information that can 
be memorized by the human being. 

40 

(3) Safety: 

Even if one partial private key becomes known to tiie other person, it is impossible to use It as the RSA private key 
unless all the other remaining partial private keys become also known, so that a high level safety can be realized. 
45 Also, it is possible to realize a system in which only tiie legitimate user who knows tiie private information can utilize 
the private key. 

Also, within a closed range to which the present invention is applied, it becomes possible to prove tiie safety of tiie 
system convincingly. For example, in the conventional scheme for storing the private key in a file, even though the RSA 
cryptosystem algorithm is used for tiie entity authentication, the otiier algoritiim such as DES scheme is to be used in 
50 order to enaypt the private key. so that it has been impossible to clearly prove which algoritiim's strength is really 
responsible for the safety of the system after all. In contrast, according to tiie present invention, it is possible to prove 
the safety of tiie system convincingly to the user. 

It is to be noted that, besides tiiose already mentioned above, many nKxfrfications and variations of tiie above 
embodiments may be made witiiout departing from the novel and advantageous features of the present invention. 
55 Accordingly, all such modifications and variations are intended to be included within the scope of tiie appended claims. 
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Claims 

1 . A method for depositing a private key used in an RSA cryptosystem, comprising the steps of: 

dividing a private key of a user into a first partial private key and a second partial private key at a user's entity, 
where the first partial private key is set to be nnaintained at the user's entity; 
depositing the second partial private key from the user's entity to another entity; 

delivering the second partial private key from said another entity to the user's entity in response to a request 
from the user's entity: and 

conrposing the first partial private key maintained at the user's entity and the second partial private key deliv- 
ered from said another entity so as to obtain the private key to be used in a processing according to the RSA 
cryptosystem at the user's entity. 

2. The method of daim 1 . wherein at the depositing step, the user's entity encrypts the second partial private key by 
using an encryption key so as to obtain an enaypted second partial private key that can be decrypted by using a 
key decryption key known only to the user's entity, and deposits the encrypted second partial private key; 

at the delivering step, said another entity delivers the encrypted second partial private key: and 
at the conposing step, the user's entity obtains the second partial private key by decrypting the encrypted sec- 
ond partial private key by using the key encryption key 

3. The method of daim 2, wherein the encryption key and the key decryption key are a symmetric key generated at 
the user's entity. 

4. The method of claim 3, wherein the symmetric key is given in a form of a hush value obtained from the first partial 
private key by using a one-way random hush function at the user's entity. 

5. The method of daim 2, wherein the encryption key is the second partial private key itself, and the key deayption 
key is formed by the first partial private key and a public key of the user. 

6. The method of daim 5, wherein said another entity maintains the second partial private key along with the public 
key. and delivers the second partial private key and the public key at the delivering step; and 

at the composing step, the user's entity forms the key decryption key from the first partial private key main- 
tained at the user's entity and the public key delivered from said another entity. 

7. The method of daim 1 , wherein at the depositing step, the user's entity encrypts the second partial private key by 
using the second partial private key itself, further encrypts an encrypted second partial private key by using a sym- 
metric key known only to the user's entity so as to obtain a deposit key. and deposits the deposit key; 

at the delivering step, said another entity delivers the deposit key: and 

at the composing step, the user's entity obtains the encrypted second partial private key by decrypting the 
deposit key by using the symmetric key, and obtains the second partial private key by decrypting the encrypted 
second partial private key by using tiie first partial private key and a public key of the user. 

8. The method of claim 7, wherein the symmetric key is given in a form of a hush value obtained from the first partial 
private key by using a one-way random hush function at the user's entity. 

9. The method of daim 7. wherein said another entity maintains the second partial private key along with the public 
key and delivers tiie second partial private key and the piMc key at the delivering step; and 

at the composing step, the user's entity decrypts the encrypted second partial private key by using the first par- 
tial private key maintained at the user's entity and the public key delivered from said anotiier entity. 

10. The method of daim 1 , wherein the first partial private key is maintained at the user's entity as a password memo- 
rized by the user. 

11. The method of claim 10, wherein the user's entity requests a delivery of tiie second partial private key to said 
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another entity when the password is entered into the user's entity by the user. 

1 2. The method of claim 1 , wherein the user's entity requests a delivery of the second partial private key to said another 
entity when the user carries out the processing according to the RSA cryptosystem at the user's entity. 

s 

13. The method of daim 1 , wherein at the depositing step, the user's ^Hy also deposits prime numbers p and q that 
are used in generating the private key; 

at the delivering step, said another entity also delivers the prime numbers p and q along with the second partial 
10 private key; and 

the mettiod further comprising the step of generating a new first partial private key and a new second partial 
private key which are different from the first partial private key and the second partial private key without 
changing a public key of the user, by using the private key obtained at tiie composing step and the prime num- 
bers p and q delivered at the delivering step. 

75 

14. A metiiod for depositing a private key used in an RSA oryptosystem, comprising the steps of: 

dividing a private key of a user into a plurality of partial private keys at a user's entity, where one of said plurality 
of partial private keys is set to be maintained at tiie user's entity; 
20 depositing remaining ones of said plurality of partial private keys from the user's entity to mutually different 

ones of other entities respectively; 

delivering the remaining ones of said plurality of partial private keys from tiie other entities to tiie user's entity 
in response to a request from the user's entity; and 

composing said one of said plurality of partial private keys maintained at the user's entity and the remaining 
25 ones of said plurality of partial private keys delivered from the other entities so as to obtain tiie private key to 

be used In a processing according to the RSA cryptosystem at the user's entity. 

1 5. The method of claim 14, wherein at the depositing step, the user's entity also deposits prime numbers p and q that 
are used in generating the private key to one of tiie other entities; 

30 

at tiie delivering step, said one of the other entities also delivers tiie prime numbers p and q along witii one of 
tiie remaining ones of saki plurality of partial private keys; and 

tiie metiiod furtiier comprising tiie step of generating a plurality of new partial private keys which are different 
from said plurality of partial private keys, without changing a public key of the user, by using the private key 
35 obtained at the composing step and the prime numbers p and 

q delivered at the delivering step. 

16. A system for depositing a private key used in an RSA cryptosystem. comprising a user's entity and anotiier entity 
40 wherein tiie user's entity includes: 

a private key dividing unit for dividing a private key of a user into a first partial private key and a second partial 
private key where tiie first partial private key is set to be maintained at the user's entity; 
a key depositing unit for depositing the second partial private key to said another entity; 
45 a partial private key acquisition unit for requesting a delivery of tiie second partial private key to said another 

entity and receiving the second partial private key delivered from said another entity; and 
a private key composition unit for composing the first partial private key maintained at the user's entity and tiie 
second partial private key delivered from said another entity so as to obtain the private key to be used in a 
processing according to the RSA cryptosystem. 

50 

1 7. The system of claim 1 6, wherein the key depositing unit encrypts tiie second partial private key by using an enayp- 
tion key so as to obtain an encrypted second partial private key tiiat can be decrypted by using a key decryption 
key known only to the user's entity, and deposits the encrypted second partial private key; 

55 said another entity delivers tiie encrypted second partial private key in response to a request from the user's 

entity; and 

the private key composition unit obtains the second partial private key by decrypting the encrypted second par- 
tial private key by using the key encryption key 
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18. The system of claim 17, wherein the encryption key and the key decryption key are a symmetric key generated at 
the user's entity. 

1 9. The system of claim 1 8, wherein the symmetric key is given In a form of a hush value obtained from the first partial 
5 private key by using a one-way random hush function at the user's entity. 

20. The system of claim 17, wherein the encryption key is the second partial private key itself, and the key decryption 
key is formed by the first partial private key and a public key of the user. 

10 21. The system of claim 20. wherein said another entity maintains the second partial private key along with the public 
key, and delivers the second partial private key and the public key In response to a request from the user's entity; 
and 

the private key composition unit forms the key decryption key from the first partial private key maintained at the 
user's entity and the public key delivered from said anotiier entity. 

The system of claim 1 6, wherein tiie key depositing unit encrypts the second partial private key by using the second 
partial private key itself, furtiier encrypts an encrypted second partial private key by using a symmetric key known 
only to tiie user's entity so as to obtain a deposit key, and deposits tiie deposit key; 

said anotiier entity delivers tiie deposit key in response to a request from tiie user's entity; and 
the private key composition unit obtains tiie encrypted second partial private key by decrypting the deposit key 
by using the symmetric key. and obtains the second partial private key by decrypting the encrypted second par- 
tial private key by using tiie first partial private key and a public key of tiie user. 

The system of claim 22, wherein the symmetric key Is given In a form of a hush value obtained from the first partial 
private key by using a one-way random hush function at the user's entity. 

The system of claim 23, wherein said anotiier entity maintains the second partial private key along with the public 
key. and delivers tiie second partial private key and tiie public key In response to a request from the user's entity; 
and 

tiie private key composition unit decrypts the encrypted second partial private key by using tiie first partial pri- 
vate key maintained at the user's entity and tiie public key delivered from said another entity. 

35 

25. The system of claim 16, wherein the first partial private key Is maintained at the user's entity as a password mem- 
orized by tiie user. 

26. The system of claim 25, wherein the partial private key acquisition unit requests a delivery of the second partial pri- 
40 vate key to said another entity when the password Is entered Into the user's entity by the user. 

27. The system of claim 1 6, wherein the partial private key acquisition unit requests a delivery of the second partial pri- 
vate key to said another entity when the user carries out the processing according to tiie RSA cryptosystem at tiie 
user's entity. 

45 

28. the system of claim 1 6. wherein tiie key depositing unit also deposits prime numbers p and q that are used in gen- 
erating tiie private key; 

said anotiier entity also delivers tiie prime numbers p and q along witii the second partial private key In 
50 response to a request from tiie user's entity; and 

the private key composition unit also generates a new first partial private key and a new second partial private 
key which are different from tiie first partial private key and tiie second partial private key, witiiout changing a 
public key of the user, by using tiie private key obtained from tiie first partial private key and tiie second partial 
private key and tiie prime numbers p and q delivered from said another entity. 

55 

29. A system for depositing a private key used in an RSA ayptosystem. comprising a user's entity and otiier entities, 
wherein tiie user's entity includes: 



22. 

20 
25 

23. 
24. 
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a private key dividing unit for dividing a private key of a user into a plurality of partial private keys, where one 
of said plurality of partial private keys is set to be nnaintained at the user's entity: 

a key depositing unit for depositing reniaining ones of said plurality of partial private keys to mutually different 
ones of the other entities respectively; 

a partial private key acquisition unit for requesting a delivery of the remaining ones of said plurality of partial 
private keys to the other entities and receiving the remaining ones of said plurality of partial private keys deliv- 
ered from the other entities: and 

a private key composition unit for composing said one of said plurality of partial private keys maintained at the 
user's entity and the remaining ones of said plurality of partial private keys delivered from the other entities so 
as to obtain the private key to be used in a processing according to the RSA cryptosystem. 

30. The system of claim 29, wherein the key depositing unit also deposits prime numbers p and q that are used in gen- 
erating the private key to one of the other entities; 

said one of the other entities also delivers the prime numbers p and q along with one of the remaining ones of 
said plurality of partial private keys In response to a request from the user's entity; and 
the private key composition unit generates a plurality of new partial private keys which are different from said 
plurality of partial private keys, without changing a public key of the user, by using the private key obtained from 
said one and the remaining ones of said plurality of partial private keys and the prime numbers p and q deliv- 
ered from the other entities. 
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(57) A scheme for depositing a private l<ey used in 
the RSA cryptosystem which is capable of maintaining 
the private key more safely without requiring a user to 
always can7 around a storage medium. In this scheme, 
a private ksy of a user is divided into a first partial pri- 
vate key and a second partial private key at a user's 
entity, where the first partial private key is set to be 
maintained at the user's entity, while the second partial 
private key is deposited from the user's entity to the 
other entity. Then, the second partial private key is deliv- 
ered from the other entity to the user's entity in 
response to a request from the user's entity, and the first 
partial private key maintained at the user's entity and 
the second partial private key delivered from the other 
entity are composed so as to obtain the private key to be 
used in a processing according to the RSA cryptosys- 
tem at the user's entity. This scheme can be generalized 
to a case of dividing the private key into a plurality of 
partial private keys. 
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